Security researchers have found a Windows Trojan called Evrial, which can replace a bitcoin address in the Windows clipboard with a different address. The malware would be sold on Russian hacker forums.
MalwareHunterTeam, which discovered the malware, says that the difference with variants that possessed similar functionality is that this copy is more capable of loading the addresses from a command and control server. Also, adjusting the address would not be limited to bitcoinaddresses only, but the function would extend to altcoins and trade links in Steam. The idea behind the function is that a victim with an infected system, for example, wants to send a sum of money to a cryptocurrency address and copies the address for that purpose. If the adjusted address is then pasted from the clipboard, the transfer is transferred to the attacker.
The team tells Bleeping Computer that the malware is sold on Russiche hackerums for 27 dollars. It is not clear how the malicious software is distributed. Evrial is also capable of more actions, such as stealing documents and wallets or uploading screenshots. According to MalwareHunterTeam, malicious software is recognized by about a third of the antivirus products on VirusTotal. It is possible that there are now more of them.
The success of the method of adjusting the clipboard is unclear. An earlier variant with similar functionality, called CryptoShuffler and discovered by Kaspersky, won around $140,000 in bitcoins over the course of a year, taking into account the bitcoin price of October of last year.